Which of the following trust relationship is developed between the two child domains created within a domain tree in a forest?
|
Like this article? We recommend Show
Managing TrustsAs you learned earlier, one of the most important differences between Windows NT 4.0 domains and Windows 2000 domains is the way trust relationships are created and maintained between domains within the organization. Rather than establish a web of one-way trusts as required in Windows NT 4.0, Windows 2000 implements transitive trusts that span the domain tree and forest structure. This model greatly simplifies administration. Trust RelationshipsTrust relationships in Windows NT 4.0 can be represented in the following equation (with n equaling the number of domains):
Therefore a company with 6 domains needs to establish 30 trust relationships (6*(6–1)). Trust relationships among Windows 2000 domains can be represented in the following equation:
Therefore, a company with 6 domains needs to establish 5 trust relationships (6–1). That's a significant difference in the number of trust relationships that must be managed, particularly when you're in a corporation with hundreds of NT 4.0 domains! Another trust feature of Windows 2000 domains is that they are created and implemented by default. As you install domain controllers, trusts are automatically created. This process is tied to the fact that Windows 2000 domains are hierarchically created. That enables Windows 2000 to automatically know which domains are included in a given domain tree, and when trust relationships are established between root domains, to automatically know which domain trees are included in the forest. In contrast, administrators had to create (and subsequently manage) trust relationships between Windows NT domains, and they had to remember which way the trust relationships flowed (and how that affected user rights and permissions in either domain). The difference is significant, the management overhead is sliced to a fraction, and the implementation of such trusts is more intuitive—all due to the new trust model and the hierarchical approach to domains and domain trees. Windows 2000 incorporates three types of trust relationships. The trust relationships available to Windows 2000 domains are the following:
One-Way TrustsOne-way trusts are obviously not two-way, nor are they transitive. You can still create one-way trusts just like in a Windows NT 4.0 environment. However, creating multiple one-way trusts does not create a transitive trust. One-way trusts can be used when creating trust relationships with Windows NT 4.0 domains.
You can also implement one-way trust relationships between domains in different Windows 2000 forests. This capability allows you to isolate the trust relationship to the domain where the relationship is created and maintained rather than create a trust relationship that affects the entire forest. These one-way trusts are called explicit trusts. Transitive TrustsTransitive trusts establish a trust relationship between two domains that is able to flow through to other domains. If you assume that domain A trusts domain B, and domain B trusts domain C, then domain A inherently trusts domain C and vice versa. Let's look at the Windows 2000 domain example in Figure 3.2. Figure 3.2 In this example, kevinkocis.com trusts na.kevinkocis.com, and na.kevinkocis.com trusts il.na.kevinkocis.com. Therefore, kevinkocis.com trusts il.na.kevinkocis.com. Transitive trusts reduce the administrative overhead traditionally associated with the domain trust maintenance. In Windows 2000, transitive trust relationships between parent and child domains are automatically established whenever new domains are created in the domain tree.
Cross-Link Trusts (Shortcut Trusts)Cross-link trusts (or shortcut trusts, as they are sometimes referred to) can increase authentication performance by establishing one-way transitive trusts between two domains. With cross-link trusts, a virtual link is created within the tree or forest hierarchy, enabling faster trust relationship confirmations. Cross-link trusts are established between nonadjacent domains that are logically distant from each other in a forest or domain tree. You should implement cross-link trusts only if your network is experiencing heavy authentication traffic along the path between the domains. In Figure 3.3, if users in the bz domain of the tree are continually accessing resources in the il domain in the other branch, the authentication traffic can affect network and authentication performance. Figure 3.3 A better approach is to create a cross-link trust between domains bz and il, which enables authentications between the domains to occur without traversing the domain tree back to the root and down the other branch. The result is better performance in terms of authentication and less traffic to domains and DCs not directly involved in the process. Adding TrustsTwo-way transitive trusts are created by default when additional Windows 2000 domains are added to the tree or forest. In the case of down-level domains, explicit trusts must be created. To create an explicit domain trust, do the following:
Modifying TrustsEven though trusts are created by default, if your enterprise consists of multiple down-level domains, you may need to modify these trusts. Cross-link trusts may also require verification at certain timed intervals (such as in the event of a down-level domain upgrading to Windows 2000, or the separation of a previous trust collaboration). To verify a trust, follow these steps:
To revoke a trust, follow these steps:
What is trust relationship between domains?Trust relationships are an administration and communication link between two domains. A trust relationship between two domains enables user accounts and global groups to be used in a domain other than the domain where the accounts are defined.
Which trust is created with child domain?The tree-root trust is a trust that is created between any child domain and the root domain. This provides a shortcut to the root. This trust relationship is also automatically created when a new domain tree is created.
Which type of trust is automatically created between the domains in a domain tree?Transitive and non-transitive trusts
Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain.
What is trust type of trust by default trust between domains in forest?Realm Trust
These kinds of trust between a domain or a forest with another domain and a forest that is not based on Windows Active Directory. A Realm Trust can be established to provide resource access and cross-platform inter-operability between an AD DS Domain and non-windows Kerberos v5 Realm.
|
